AzSentinel.psm1

#requires -module @{ModuleName = 'Az.Accounts'; ModuleVersion = '1.5.2'}
#requires -module @{ModuleNAme = 'powershell-yaml'; ModuleVersion = '0.4.0'}
#requires -version 6.2

enum Severity {
    Medium
    High
    Low
    Informational
}

enum Tactics {
    InitialAccess
    Persistence
    Execution
    PrivilegeEscalation
    DefenseEvasion
    CredentialAccess
    LateralMovement
    Discovery
    Collection
    Exfiltration
    CommandAndControl
    Impact
}

enum TriggerOperator {
    GreaterThan
    FewerThan
    EqualTo
    NotEqualTo
}

class AlertProp {

    [Parameter(Mandatory)]
    [ValidateNotNullOrEmpty()]
    [guid] $Name

    [Parameter(Mandatory)]
    [string] $DisplayName

    [Parameter(Mandatory)]
    [ValidateNotNullOrEmpty()]
    [string] $Description

    [Parameter(Mandatory)]
    [ValidateNotNullOrEmpty()]
    [Severity] $Severity

    [Parameter(Mandatory)]
    [ValidateNotNullOrEmpty()]
    [bool] $Enabled

    [Parameter(Mandatory)]
    [ValidateNotNullOrEmpty()]
    [string] $Query

    [Parameter(Mandatory)]
    [ValidateNotNullOrEmpty()]
    [string] $QueryFrequency

    [ValidateNotNullOrEmpty()]
    [string] $QueryPeriod

    [Parameter(Mandatory)]
    [ValidateNotNullOrEmpty()]
    [TriggerOperator] $TriggerOperator

    [Parameter(Mandatory)]
    [ValidateNotNullOrEmpty()]
    [Int] $TriggerThreshold

    [Parameter(Mandatory)]
    [AllowEmptyString()]
    [string] $SuppressionDuration

    [Parameter(Mandatory)]
    [bool] $SuppressionEnabled

    [Parameter(Mandatory)]
    [AllowEmptyCollection()]
    [Tactics[]] $Tactics

    AlertProp ($Name, $DisplayName, $Description, $Severity, $Enabled, $Query, $QueryFrequency, $QueryPeriod, $TriggerOperator, $TriggerThreshold, $suppressionDuration, $suppressionEnabled, $Tactics) {
        $this.name = $Name
        $this.DisplayName = $DisplayName
        $this.Description = $Description
        $this.Severity = $Severity
        $this.Enabled = $Enabled
        $this.Query = $Query
        $this.QueryFrequency = ("PT" + $QueryFrequency).ToUpper()
        $this.QueryPeriod = ("PT" + $QueryPeriod).ToUpper()
        $this.TriggerOperator = $TriggerOperator
        $this.TriggerThreshold = $TriggerThreshold
        $this.SuppressionDuration = if (! ($null -eq $suppressionDuration) -or ! ($null -eq $suppressionEnabled)) { ("PT" + $suppressionDuration).ToUpper() } else { "PT1H" }
        $this.SuppressionEnabled = if ($suppressionEnabled) { $suppressionEnabled } else { $false }
        $this.Tactics = $Tactics
    }
}

class AlertRule {
    [Parameter(Mandatory)]
    [ValidateNotNullOrEmpty()]
    [guid] $Name

    [Parameter(Mandatory)]
    [string] $Etag

    [Parameter(Mandatory = $false)]
    [string]$type

    [Parameter(Mandatory)]
    [ValidateNotNullOrEmpty()]
    [AlertProp]$Properties

    [Parameter(Mandatory)]
    [string]$Id

    AlertRule ([guid]$Name, [string]$Etag, [AlertProp]$Properties, $Id) {

        $this.id = $Id
        $this.type = 'Microsoft.SecurityInsights/alertRules'
        $this.Name = $Name
        $this.Etag = $Etag
        $this.Properties = $Properties
    }
}

function Compare-Policy {
    <#
    .SYNOPSIS
    Compare PS Objects
    .DESCRIPTION
    This function is used for comparison to see if a rule needs to be updated
    .PARAMETER ReferenceTemplate
    Reference template is the data of the AlertRule as active on Azure
    .PARAMETER DifferenceTemplate
    Difference template is data that is generated and will be uploaded to Azure
    .EXAMPLE
    Compare-Policy -ReferenceTemplate -DifferenceTemplate
    .NOTES
    NAME: Compare-Policy
    #>


    [CmdletBinding()]
    param (
        # Reference value is the Online available
        [Parameter(Mandatory)]
        [psobject]$ReferenceTemplate,

        # Difference template is the template that will be uploaded
        [Parameter(Mandatory)]
        [psobject]$DifferenceTemplate
    )

    process {
        $objprops = $ReferenceTemplate | Get-Member -MemberType Property, NoteProperty | ForEach-Object Name
        $objprops += $DifferenceTemplate | Get-Member -MemberType Property, NoteProperty | ForEach-Object Name
        $objprops = $objprops | Sort-Object -Unique | Select-Object

        $diffs = @()

        foreach ($objprop in $objprops) {
            $diff = Compare-Object $ReferenceTemplate $DifferenceTemplate -Property $objprop
            if ($diff) {
                $diffprops = @{
                    PropertyName = $objprop
                    RefValue     = ($diff | Where-Object { $_.SideIndicator -eq '<=' } | ForEach-Object $($objprop))
                    DiffValue    = ($diff | Where-Object { $_.SideIndicator -eq '=>' } | ForEach-Object $($objprop))
                }
                $diffs += New-Object PSObject -Property $diffprops
            }
        }
        if ($diffs) {
            return ($diffs | Select-Object PropertyName, RefValue, DiffValue)
        }
    }
}

function Get-AuthToken {
    <#
    .SYNOPSIS
    Get Authorization Token
    .DESCRIPTION
    This function is used to generate the Authtoken for API Calls
    .EXAMPLE
    Get-AuthToken
    #>


    [CmdletBinding()]
    param (

    )

    try {
        $azContext = Get-AzContext

        if ($null -ne $azContext) {
            Write-Verbose -Message "Using Subscription: $($azContext.Subscription.Name) from tenant $($azContext.Tenant.Id)"

            $azProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
            $profileClient = [Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient]::new($azProfile)
            $script:accessToken = $profileClient.AcquireAccessToken($azContext.Subscription.TenantId)
            $script:subscriptionId = $azContext.Subscription.Id
            $script:tenantId = $azContext.Tenant.Id
        } else {
            throw 'No subscription available, Please use Connect-AzAccount to login and select the right subscription'
        }
    } catch {
        $PSCmdlet.ThrowTerminatingError($_)
    }
}

function Get-LogAnalyticWorkspace {
    <#
    .SYNOPSIS
    Get log analytic workspace
    .DESCRIPTION
    This function is used by other function for getting the workspace infiormation and seting the right values for $script:workspace and $script:baseUri
    .PARAMETER SubscriptionId
    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
    .PARAMETER WorkspaceName
    Enter the Workspace name
    .PARAMETER FullObject
    If you want to return the full object data
    .EXAMPLE
    Get-LogAnalyticWorkspace -WorkspaceName ""
    This example will get the Workspace and set workspace and baseuri param on Script scope level
    .EXAMPLE
    Get-LogAnalyticWorkspace -WorkspaceName "" -FullObject
    This example will get the Workspace ands return the full data object
    .EXAMPLE
    Get-LogAnalyticWorkspace -SubscriptionId "" -WorkspaceName ""
    This example will get the workspace info from another subscrion than your "Azcontext" subscription
    .NOTES
    NAME: Get-LogAnalyticWorkspace
    #>

    param (
        [Parameter(Mandatory = $false)]
        [ValidateNotNullOrEmpty()]
        [string] $SubscriptionId,

        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [string]$WorkspaceName,

        [Parameter(Mandatory = $false)]
        [ValidateNotNullOrEmpty()]
        [Switch]$FullObject
    )

    begin {
        precheck
    }

    process {
        if ($SubscriptionId) {
            Write-Verbose "Getting Worspace from Subscription $($subscriptionId)"
            $uri = "https://management.azure.com/subscriptions/$($subscriptionId)/providers/Microsoft.OperationalInsights/workspaces?api-version=2015-11-01-preview"
        }
        elseif ($script:subscriptionId) {
            Write-Verbose "Getting Worspace from Subscription $($script:subscriptionId)"
            $uri = "https://management.azure.com/subscriptions/$($script:subscriptionId)/providers/Microsoft.OperationalInsights/workspaces?api-version=2015-11-01-preview"
        }
        else {
            Write-Error "No SubscriptionID provided" -ErrorAction Stop
        }

        $workspaces = Invoke-webrequest -Uri $uri -Method get -Headers $script:authHeader
        $workspaceObject = ($workspaces.Content | ConvertFrom-Json).value | Where-Object { $_.name -eq $WorkspaceName }

        if ($workspaceObject) {
            $Script:workspace = ($workspaceObject.id).trim()
            $script:baseUri = "https://management.azure.com$($Script:workspace)"
            if ($FullObject) { return $workspaceObject }
            Write-Verbose ($workspaceObject | Format-List | Format-Table | Out-String)
            Write-Verbose "Found Workspace $WorkspaceName in RG $($workspaceObject.id.Split('/')[4])"
        }
        else {
            Write-Error "Unable to find workspace $WorkspaceName under Subscription Id: $($script:subscriptionId)" -ErrorAction Stop
        }
    }
}

function precheck {
    <#
    .SYNOPSIS
    precheck
    .DESCRIPTION
    This function will test the authentication token before executing call to the Azure API
    .EXAMPLE
    precheck
    This will run the precheck function
    #>

    if ($null -eq $script:accessToken) {
        Get-AuthToken
    } elseif ([datetime]::UtcNow.AddMinutes(5) -lt $script:accessToken.ExpiresOn.DateTime ) {
        # if token expires within 5 minutes, request a new one
        Get-AuthToken
    }

    $script:authHeader = @{
        'Content-Type' = 'application/json'
        Authorization = 'Bearer ' + $script:accessToken.AccessToken
    }
}

function Get-AzSentinelAlertRule {
    <#
    .SYNOPSIS
    Get Azure Sentinel Alert Rules
    .DESCRIPTION
    With this function you can get the configuration of the Azure Sentinel Alert rule from Azure Sentinel
    .PARAMETER SubscriptionId
    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
    .PARAMETER WorkspaceName
    Enter the Workspace name
    .PARAMETER RuleName
    Enter the name of the Alert rule
    .EXAMPLE
    Get-AzSentinelAlertRule -WorkspaceName "" -RuleName "",""
    In this example you can get configuration of multiple alert rules in once
    #>


    [cmdletbinding(SupportsShouldProcess)]
    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [ValidateNotNullOrEmpty()]
        [string] $SubscriptionId,

        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [string]$WorkspaceName,

        [Parameter(Mandatory = $false,
            ValueFromPipeline)]
        [ValidateNotNullOrEmpty()]
        [string[]]$RuleName
    )

    begin {
        precheck
    }

    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
                }
            }
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName
                }
            }
        }
        Get-LogAnalyticWorkspace @arguments

        $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules?api-version=2019-01-01-preview"
        Write-Verbose -Message "Using URI: $($uri)"
        $alertRules = Invoke-webrequest -Uri $uri -Method get -Headers $script:authHeader
        Write-Verbose "Found $((($alertRules.Content | ConvertFrom-Json).value).count) Alert rules"
        $return = @()

        if ($alertRules) {
            if ($RuleName.Count -ge 1) {
                foreach ($rule in $RuleName) {
                    [PSCustomObject]$temp = ($alertRules.Content | ConvertFrom-Json).value | Where-Object { $_.properties.displayName -eq $rule }
                    if ($null -ne $temp) {
                        $temp.properties | Add-Member -NotePropertyName name -NotePropertyValue $temp.name -Force
                        $temp.properties | Add-Member -NotePropertyName etag -NotePropertyValue $temp.etag -Force
                        $temp.properties | Add-Member -NotePropertyName id -NotePropertyValue $temp.id -Force

                        $return += $temp.properties
                    }
                    else {
                        Write-Error "Unable to find Rule: $rule"
                    }
                }
                return $return
            }
            else {
                ($alertRules.Content | ConvertFrom-Json).value | ForEach-Object {
                    $_.properties | Add-Member -NotePropertyName name -NotePropertyValue $_.name -Force
                    return $_.properties
                }
            }
        }
        else {
            Write-Warning "No rules found on $($WorkspaceName)"
        }
    }
}

function Get-AzSentinelHuntingRule {
    <#
    .SYNOPSIS
    Get Azure Sentinel Hunting rule
    .DESCRIPTION
    With this function you can get the configuration of the Azure Sentinel Hunting rule from Azure Sentinel
    .PARAMETER SubscriptionId
    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
    .PARAMETER WorkspaceName
    Enter the Workspace name
    .PARAMETER RuleName
    Enter the name of the Hunting rule name
    .PARAMETER Filter
    Select which type of Hunting rule you want to get
    .EXAMPLE
    Get-AzSentinelHuntingRule -WorkspaceName "" -RuleName "",""
    In this example you can get configuration of multiple Hunting rules
    .EXAMPLE
    Get-AzSentinelHuntingRule -WorkspaceName ""
    In this example you can get a list of all the Hunting rules in once
    #>


    [cmdletbinding(SupportsShouldProcess)]
    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [ValidateNotNullOrEmpty()]
        [string] $SubscriptionId,

        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [string]$WorkspaceName,

        [Parameter(Mandatory = $false,
            ValueFromPipeline)]
        [ValidateNotNullOrEmpty()]
        [string[]]$RuleName,

        [Parameter(Mandatory = $false)]
        [validateset("HuntingQueries", "GeneralExploration", "LogManagement")]
        [string]$Filter
    )

    begin {
        precheck
    }

    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
                }
            }
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName
                }
            }
        }
        Get-LogAnalyticWorkspace @arguments

        $uri = "$script:baseUri/savedSearches?api-version=2017-04-26-preview"

        Write-Verbose -Message "Using URI: $($uri)"
        $alertRules = Invoke-webrequest -Uri $uri -Method get -Headers $script:authHeader
        Write-Verbose "Found $((($alertRules.Content | ConvertFrom-Json).value).count) Alert rules"
        $return = @()

        if ($alertRules) {
            if ($RuleName.Count -ge 1) {
                foreach ($rule in $RuleName) {
                    [PSCustomObject]$temp = ($alertRules.Content | ConvertFrom-Json).value | Where-Object {$_.properties.displayName -eq $rule}
                    if ($null -ne $temp) {
                        $temp.properties | Add-Member -NotePropertyName name -NotePropertyValue $temp.name -Force
                        $temp.properties | Add-Member -NotePropertyName id -NotePropertyValue $temp.id -Force
                        $temp.properties | Add-Member -NotePropertyName etag -NotePropertyValue $temp.etag -Force

                        $return += $temp.Properties
                    }
                    else {
                        Write-Warning "Unable to find Rule: $rule"
                    }
                }
                return $return
            }
            else {
                ($alertRules.Content | ConvertFrom-Json).value | ForEach-Object {
                    $_.properties | Add-Member -NotePropertyName name -NotePropertyValue $_.name -Force
                    $_.properties | Add-Member -NotePropertyName id -NotePropertyValue $_.id -Force
                    $_.properties | Add-Member -NotePropertyName etag -NotePropertyValue $_.etag -Force
                    return $_.properties
                }
            }
        }
        else {
            Write-Warning "No rules found on $($WorkspaceName)"
        }
    }
}

function Get-AzSentinelIncident {
    <#
    .SYNOPSIS
    Get Azure Sentinel Incident
    .DESCRIPTION
    With this function you can get a list of open incidents from Azure Sentinel.
    You can can also filter to Incident with speciefiek case namber or Case name
    .PARAMETER SubscriptionId
    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
    .PARAMETER WorkspaceName
    Enter the Workspace name
    .PARAMETER IncidentName
    Enter incident name, this is the same name as the alert rule that triggered the incident
    .PARAMETER CaseNumber
    Enter the case number to get specfiek details of a open case
    .EXAMPLE
    Get-AzSentinelIncident -WorkspaceName ""
    Get a list of all open Incidents
    .EXAMPLE
    Get-AzSentinelIncident -WorkspaceName "" -CaseNumber
    Get information of a specifiek incident with providing the casenumber
    .EXAMPLE
    Get-AzSentinelIncident -WorkspaceName "" -IncidentName "",""
    Get information of one or more incidents with providing a incident name, this is the name of the alert rule that triggered the incident
    #>


    [cmdletbinding(SupportsShouldProcess)]
    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [ValidateNotNullOrEmpty()]
        [string] $SubscriptionId,

        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [string]$WorkspaceName,

        [Parameter(Mandatory = $false,
            ValueFromPipeline)]
        [ValidateNotNullOrEmpty()]
        [string[]]$IncidentName,

        [Parameter(Mandatory = $false,
            ValueFromPipeline)]
        [ValidateNotNullOrEmpty()]
        [int[]]$CaseNumber
    )

    begin {
        precheck
    }

    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
                }
            }
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName
                }
            }
        }
        Get-LogAnalyticWorkspace @arguments

        $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/Cases?api-version=2019-01-01-preview"
        Write-Verbose -Message "Using URI: $($uri)"
        $incident = Invoke-webrequest -Uri $uri -Method get -Headers $script:authHeader
        Write-Verbose "Found $((($incident.Content | ConvertFrom-Json).value).count) incidents"
        $return = @()

        if ($incident) {
            if ($IncidentName.Count -ge 1) {
                foreach ($rule in $IncidentName) {
                    [PSCustomObject]$temp = ($incident.Content | ConvertFrom-Json).value | Where-Object { $_.properties.title -eq $rule }
                    if ($null -ne $temp) {
                        $return += $temp.properties
                    }
                    else {
                        Write-Error "Unable to find incident: $rule"
                    }
                }
                return $return
            }
            elseif ($CaseNumber.Count -ge 1) {
                foreach ($rule in $CaseNumber) {
                    [PSCustomObject]$temp = ($incident.Content | ConvertFrom-Json).value | Where-Object { $_.properties.caseNumber -eq $rule }
                    if ($null -ne $temp) {
                        $return += $temp.properties
                    }
                    else {
                        Write-Error "Unable to find incident: $rule"
                    }
                }
                return $return
            }
            else {
                ($incident.Content | ConvertFrom-Json).value | ForEach-Object {
                    return $_.properties
                }
            }
        }
        else {
            Write-Warning "No incident found on $($WorkspaceName)"
        }
    }
}

function Import-AzSentinelAlertRule {
    <#
    .SYNOPSIS
    Import Azure Sentinal Alert rule
    .DESCRIPTION
    This function imports Azure Sentinal Alert rules from JSON and YAML config files.
    This way you can manage your Alert rules dynamic from JSON or multiple YAML files
    .PARAMETER SubscriptionId
    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
    .PARAMETER WorkspaceName
    Enter the Workspace name
    .PARAMETER SettingsFile
    Path to the JSON or YAML file for the AlertRules
    .EXAMPLE
    Import-AzSentinelAlertRule -WorkspaceName "" -SettingsFile ".\examples\AlertRules.json"
    In this example all the rules configured in the JSON file will be created or updated
    .EXAMPLE
    Import-AzSentinelAlertRule -WorkspaceName "" -SettingsFile ".\examples\SuspectApplicationConsent.yaml"
    In this example all the rules configured in the YAML file will be created or updated
    .EXAMPLE
    Get-Item .\examples\*.json | Import-AzSentinelAlertRule -WorkspaceName ""
    In this example you can select multiple JSON files and Pipeline it to the SettingsFile parameter
    #>


    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]
    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [ValidateNotNullOrEmpty()]
        [string] $SubscriptionId,

        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [string] $WorkspaceName,

        [Parameter(Mandatory, ValueFromPipeline)]
        [ValidateScript( { (Test-Path -Path $_) -and ($_.Extension -in '.json', '.yaml', '.yml') })]
        [System.IO.FileInfo] $SettingsFile
    )

    begin {
        precheck
    }

    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
                }
            }
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName
                }
            }
        }
        Get-LogAnalyticWorkspace @arguments

        $errorResult = ''

        if ($SettingsFile.Extension -eq '.json') {
            try {
                $analytics = (Get-Content $SettingsFile -Raw | ConvertFrom-Json -ErrorAction Stop).analytics
                Write-Verbose -Message "Found $($analytics.count) rules"
            }
            catch {
                Write-Verbose $_
                Write-Error -Message 'Unable to convert JSON file' -ErrorAction Stop
            }
        }
        elseif ($SettingsFile.Extension -in '.yaml', 'yml') {
            try {
                $analytics = [pscustomobject](Get-Content $SettingsFile -Raw | ConvertFrom-Yaml -ErrorAction Stop)
                $analytics | Add-Member -MemberType NoteProperty -Name DisplayName -Value $analytics.name
                Write-Verbose -Message 'Found compatibel yaml file'
            }
            catch {
                Write-Verbose $_
                Write-Error -Message 'Unable to convert yaml file' -ErrorAction Stop
            }
        }

        foreach ($item in $analytics) {
            Write-Verbose -Message "Started with rule: $($item.displayName)"

            $guid = (New-Guid).Guid

            try {
                Write-Verbose -Message "Get rule $($item.description)"
                $content = Get-AzSentinelAlertRule @arguments -RuleName $($item.displayName) -ErrorAction SilentlyContinue

                if ($content) {
                    Write-Verbose -Message "Rule $($item.displayName) exists in Azure Sentinel"

                    $item | Add-Member -NotePropertyName name -NotePropertyValue $content.name -Force
                    $item | Add-Member -NotePropertyName etag -NotePropertyValue $content.etag -Force
                    $item | Add-Member -NotePropertyName Id -NotePropertyValue $content.id -Force

                    $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($content.name)?api-version=2019-01-01-preview"
                }
                else {
                    Write-Verbose -Message "Rule $($item.displayName) doesn't exists in Azure Sentinel"

                    $item | Add-Member -NotePropertyName name -NotePropertyValue $guid -Force
                    $item | Add-Member -NotePropertyName etag -NotePropertyValue $null -Force
                    $item | Add-Member -NotePropertyName Id -NotePropertyValue "$script:Workspace/providers/Microsoft.SecurityInsights/alertRules/$guid" -Force
                    $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($guid)?api-version=2019-01-01-preview"
                }
            }
            catch {
                $errorReturn = $_
                $errorResult = ($errorReturn | ConvertFrom-Json ).error
                Write-Verbose $_
                Write-Error "Unable to connect to APi to get Analytic rules with message: $($errorResult.message)" -ErrorAction Stop
            }

            try {
                $bodyAlertProp = [AlertProp]::new(
                    $item.name,
                    $item.displayName,
                    $item.description,
                    $item.severity,
                    $item.enabled,
                    $item.query,
                    $item.queryFrequency,
                    $item.queryPeriod,
                    $item.triggerOperator,
                    $item.triggerThreshold,
                    $item.suppressionDuration,
                    $item.suppressionEnabled,
                    $item.tactics
                )
                $body = [AlertRule]::new( $item.name, $item.etag, $bodyAlertProp, $item.Id)
            }
            catch {
                Write-Error "Unable to initiate class with error: $($_.Exception.Message)" -ErrorAction Continue
            }

            if ($content) {
                $compareResult = Compare-Policy -ReferenceTemplate ($content | Select-Object * -ExcludeProperty lastModifiedUtc, alertRuleTemplateName, name, etag, id) -DifferenceTemplate ($body.Properties | Select-Object * -ExcludeProperty name)
                if ($compareResult) {
                    Write-Output "Found Differences for rule: $($item.displayName)"
                    Write-Output ($compareResult | Format-Table | Out-String)

                    if ($PSCmdlet.ShouldProcess("Do you want to update profile: $($body.Properties.DisplayName)")) {
                        try {
                            $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -EnumsAsStrings)
                            Write-Output "Successfully updated rule: $($item.displayName) with status: $($result.StatusDescription)"
                            Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
                        }
                        catch {
                            $errorReturn = $_
                            $errorResult = ($errorReturn | ConvertFrom-Json ).error
                            Write-Verbose $_.Exception.Message
                            Write-Error "Unable to invoke webrequest with error message: $($errorResult.message)" -ErrorAction Continue
                        }
                    }
                    else {
                        Write-Output "No change have been made for rule $($item.displayName), deployment aborted"
                    }
                }
                else {
                    Write-Output "Rule $($item.displayName) is compliance, nothing to do"
                    Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
                }
            }
            else {
                Write-Verbose "Creating new rule: $($item.displayName)"

                try {
                    $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -EnumsAsStrings)
                    Write-Output "Successfully created rule: $($item.displayName) with status: $($result.StatusDescription)"
                    Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
                }
                catch {
                    $errorReturn = $_
                    $errorResult = ($errorReturn | ConvertFrom-Json ).error
                    Write-Verbose $_.Exception.Message
                    Write-Error "Unable to invoke webrequest with error message: $($errorResult.message)" -ErrorAction Continue
                }
            }
        }
    }
}

function Import-AzSentinelHuntingRule {
    <#
    .SYNOPSIS
    Import Azure Sentinal Hunting rule
    .DESCRIPTION
    This function imports Azure Sentinal Hunnting rules from JSON and YAML config files.
    This way you can manage your Hunting rules dynamic from JSON or multiple YAML files
    .PARAMETER SubscriptionId
    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
    .PARAMETER WorkspaceName
    Enter the Workspace name
    .PARAMETER SettingsFile
    Path to the JSON or YAML file for the Hunting rules
    .EXAMPLE
    Import-AzSentinelHuntingRule -WorkspaceName "infr-weu-oms-t-7qodryzoj6agu" -SettingsFile ".\examples\HuntingRules.json"
    In this example all the rules configured in the JSON file will be created or updated
    .EXAMPLE
    Import-AzSentinelHuntingRule -WorkspaceName "" -SettingsFile ".\examples\HuntingRules.yaml"
    In this example all the rules configured in the YAML file will be created or updated
    .EXAMPLE
    Get-Item .\examples\HuntingRules*.json | Import-AzSentinelHuntingRule -WorkspaceName ""
    In this example you can select multiple JSON files and Pipeline it to the SettingsFile parameter
    #>


    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]
    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [ValidateNotNullOrEmpty()]
        [string] $SubscriptionId,

        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [string] $WorkspaceName,

        [Parameter(Mandatory, ValueFromPipeline)]
        [ValidateScript( { (Test-Path -Path $_) -and ($_.Extension -in '.json', '.yaml', '.yml') })]
        [System.IO.FileInfo] $SettingsFile
    )

    begin {
        precheck
    }

    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
                }
            }
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName
                }
            }
        }
        Get-LogAnalyticWorkspace @arguments

        $errorResult = ''
        $item = @{ }

        if ($SettingsFile.Extension -eq '.json') {
            try {
                $analytics = (Get-Content $SettingsFile -Raw | ConvertFrom-Json -ErrorAction Stop).analytics
                Write-Verbose -Message "Found $($analytics.count) rules"
            }
            catch {
                Write-Verbose $_
                Write-Error -Message 'Unable to convert JSON file' -ErrorAction Stop
            }
        }
        elseif ($SettingsFile.Extension -in '.yaml', 'yml') {
            try {
                $analytics = [pscustomobject](Get-Content $SettingsFile -Raw | ConvertFrom-Yaml -ErrorAction Stop)
                $analytics | Add-Member -MemberType NoteProperty -Name DisplayName -Value $analytics.name
                Write-Verbose -Message 'Found compatibel yaml file'
            }
            catch {
                Write-Verbose $_
                Write-Error -Message 'Unable to convert yaml file' -ErrorAction Stop
            }
        }

        foreach ($item in $analytics) {
            Write-Verbose -Message "Started with Hunting rule: $($item.displayName)"

            try {
                Write-Verbose -Message "Get rule $($item.description)"
                $content = Get-AzSentinelHuntingRule @arguments -RuleName $($item.displayName) -WarningAction SilentlyContinue

                if ($content) {
                    Write-Verbose -Message "Hunting rule $($item.displayName) exists in Azure Sentinel"

                    $item | Add-Member -NotePropertyName name -NotePropertyValue $content.name -Force
                    $item | Add-Member -NotePropertyName etag -NotePropertyValue $content.etag -Force
                    $item | Add-Member -NotePropertyName Id -NotePropertyValue $content.id -Force

                    $uri = "$script:baseUri/savedSearches/$($content.name)?api-version=2017-04-26-preview"
                }
                else {
                    Write-Verbose -Message "Hunting rule $($item.displayName) doesn't exists in Azure Sentinel"

                    $guid = (New-Guid).Guid

                    $item | Add-Member -NotePropertyName name -NotePropertyValue $guid -Force
                    $item | Add-Member -NotePropertyName etag -NotePropertyValue $null -Force
                    $item | Add-Member -NotePropertyName Id -NotePropertyValue "$script:Workspace/savedSearches/$guid" -Force

                    $uri = "$script:baseUri/savedSearches/$($guid)?api-version=2017-04-26-preview"
                }
            }
            catch {
                $errorReturn = $_
                $errorResult = ($errorReturn | ConvertFrom-Json ).error
                Write-Verbose $_
                Write-Error "Unable to connect to APi to get Analytic rules with message: $($errorResult.message)" -ErrorAction Stop
            }

            [PSCustomObject]$body = @{
                "name"       = $item.name
                "eTag"       = $item.etag
                "id"         = $item.id
                "properties" = @{
                    'Category'             = 'Hunting Queries'
                    'DisplayName'          = [string]$item.displayName
                    'Query'                = [string]$item.query
                    [pscustomobject]'Tags' = @(
                        @{
                            'Name'  = "description"
                            'Value' = [string]$item.description
                        },
                        @{
                            "Name"  = "tactics"
                            "Value" = [Tactics[]] $item.tactics -join ','
                        },
                        @{
                            "Name"  = "createdBy"
                            "Value" = ""
                        },
                        @{
                            "Name"  = "createdTimeUtc"
                            "Value" = ""
                        }
                    )
                }
            }

            if ($content) {
                $compareResult1 = Compare-Policy -ReferenceTemplate ($content | Select-Object * -ExcludeProperty lastModifiedUtc, alertRuleTemplateName, name, etag, id, Tags, Version) -DifferenceTemplate ($body.Properties | Select-Object * -ExcludeProperty name, Tags, Version)
                $compareResult2 = Compare-Policy -ReferenceTemplate ($content.Tags | Where-Object { $_.name -eq "tactics" }) -DifferenceTemplate ($body.Properties.Tags | Where-Object { $_.name -eq "tactics" })
                $compareResult = [PSCustomObject]$compareResult1 + [PSCustomObject]$compareResult2

                if ($compareResult) {
                    Write-Output "Found Differences for hunting rule: $($item.displayName)"
                    Write-Output ($compareResult | Format-Table | Out-String)

                    if ($PSCmdlet.ShouldProcess("Do you want to update hunting rule: $($body.Properties.DisplayName)")) {
                        try {
                            $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings)
                            Write-Output "Successfully updated hunting rule: $($item.displayName) with status: $($result.StatusDescription)"
                            Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
                        }
                        catch {
                            $errorReturn = $_
                            $errorResult = ($errorReturn | ConvertFrom-Json ).error
                            Write-Verbose $_.Exception.Message
                            Write-Error "Unable to invoke webrequest with error message: $($errorResult.message)" -ErrorAction Stop
                        }
                    }
                    else {
                        Write-Output "No change have been made for hunting rule $($item.displayName), deployment aborted"
                    }
                }
                else {
                    Write-Output "Hunting rule $($item.displayName) is compliance, nothing to do"
                    Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
                }
            }
            else {
                Write-Verbose "Creating new rule: $($item.displayName)"

                try {
                    $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings)
                    Write-Output "Successfully created hunting rule: $($item.displayName) with status: $($result.StatusDescription)"
                    Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
                }
                catch {
                    $errorReturn = $_
                    $errorResult = ($errorReturn | ConvertFrom-Json ).error
                    Write-Verbose $_.Exception.Message
                    Write-Error "Unable to invoke webrequest with error message: $($errorResult.message)" -ErrorAction Stop
                }
            }
        }
    }
}

function New-AzSentinelAlertRule {
    <#
    .SYNOPSIS
    Create Azure Sentinal Alert Rules
    .DESCRIPTION
    Use this function creates Azure Sentinal Alert rules from provided CMDLET
    .PARAMETER SubscriptionId
    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
    .PARAMETER WorkspaceName
    Enter the Workspace name
    .PARAMETER DisplayName
    Enter the Display name for the Alert rule
    .PARAMETER Description
    Enter the Description for the Alert rule
    .PARAMETER Severity
    Enter the Severity, valid values: Medium", "High", "Low", "Informational"
    .PARAMETER Enabled
    Set $true to enable the Alert Rule or $false to disable Alert Rule
    .PARAMETER Query
    Enter the Query that you want to use
    .PARAMETER QueryFrequency
    Enter the query frequency, example: 5H or 5M (H stands for Hour and M stands for Minute)
    .PARAMETER QueryPeriod
    Enter the quury period, exmaple: 5H or 5M (H stands for Hour and M stands for Minute)
    .PARAMETER TriggerOperator
    Select the triggert Operator, valid values are: "GreaterThan", "FewerThan", "EqualTo", "NotEqualTo"
    .PARAMETER TriggerThreshold
    Enter the trigger treshold
    .PARAMETER SuppressionDuration
    Enter the suppression duration, example: 5H or 5M (H stands for Hour and M stands for Minute)
    .PARAMETER SuppressionEnabled
    Set $true to enable Suppression or $false to disable Suppression
    .PARAMETER Tactics
    Enter the Tactics, valid values: "InitialAccess", "Persistence", "Execution", "PrivilegeEscalation", "DefenseEvasion", "CredentialAccess", "LateralMovement", "Discovery", "Collection", "Exfiltration", "CommandAndControl", "Impact"
    .EXAMPLE
    New-AzSentinelAlertRule -WorkspaceName "" -DisplayName "" -Description "" -Severity -Enabled $true -Query '' -QueryFrequency "" -QueryPeriod "" -TriggerOperator -TriggerThreshold -SuppressionDuration "" -SuppressionEnabled $false -Tactics @("","")
    In this example you create a new Alert rule by defining the rule properties from CMDLET
    #>


    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]
    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [ValidateNotNullOrEmpty()]
        [string] $SubscriptionId,

        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [string] $WorkspaceName,

        [Parameter(Mandatory)]
        [string] $DisplayName,

        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [string] $Description,

        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [Severity] $Severity,

        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [bool] $Enabled,

        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [string] $Query,

        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [string] $QueryFrequency,

        [ValidateNotNullOrEmpty()]
        [string] $QueryPeriod,

        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [TriggerOperator] $TriggerOperator,

        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [Int] $TriggerThreshold,

        [Parameter(Mandatory)]
        [AllowEmptyString()]
        [string] $SuppressionDuration,

        [Parameter(Mandatory)]
        [bool] $SuppressionEnabled,

        [Parameter(Mandatory)]
        [AllowEmptyCollection()]
        [Tactics[]] $Tactics
    )

    begin {
        precheck
    }
    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
                }
            }
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName
                }
            }
        }
        Get-LogAnalyticWorkspace @arguments

        $errorResult = ''
        $item = @{ }

        Write-Verbose -Message "Creating new rule: $($DisplayName)"
        try {
            Write-Verbose -Message "Get rule $DisplayName"
            $content = Get-AzSentinelAlertRule @arguments -RuleName $DisplayName -ErrorAction SilentlyContinue

            if ($content) {
                Write-Verbose -Message "Rule $($DisplayName) exists in Azure Sentinel"

                $item | Add-Member -NotePropertyName name -NotePropertyValue $content.name -Force
                $item | Add-Member -NotePropertyName etag -NotePropertyValue $content.eTag -Force
                $item | Add-Member -NotePropertyName Id -NotePropertyValue $content.id -Force

                $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($content.name)?api-version=2019-01-01-preview"
            }
            else {
                Write-Verbose -Message "Rule $($DisplayName) doesn't exists in Azure Sentinel"

                $guid = (New-Guid).Guid

                $item | Add-Member -NotePropertyName name -NotePropertyValue $guid -Force
                $item | Add-Member -NotePropertyName etag -NotePropertyValue $null -Force
                $item | Add-Member -NotePropertyName Id -NotePropertyValue "$script:Workspace/providers/Microsoft.SecurityInsights/alertRules/$guid" -Force

                $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($guid)?api-version=2019-01-01-preview"
            }
        }
        catch {
            $errorReturn = $_
            $errorResult = ($errorReturn | ConvertFrom-Json ).error
            Write-Verbose $_
            Write-Error "Unable to connect to APi to get Analytic rules with message: $($errorResult.message)" -ErrorAction Stop
        }

        try {
            $bodyAlertProp = [AlertProp]::new(
                $item.name,
                $DisplayName,
                $Description,
                $Severity,
                $Enabled,
                $Query,
                $QueryFrequency,
                $QueryPeriod,
                $TriggerOperator,
                $TriggerThreshold,
                $SuppressionDuration,
                $SuppressionEnabled,
                $Tactics
            )
            $body = [AlertRule]::new( $item.name, $item.etag, $bodyAlertProp, $item.Id)
        }
        catch {
            Write-Error "Unable to initiate class with error: $($_.Exception.Message)" -ErrorAction Stop
        }

        if ($content) {
            $compareResult = Compare-Policy -ReferenceTemplate ($content | Select-Object * -ExcludeProperty lastModifiedUtc, alertRuleTemplateName, name, etag, id) -DifferenceTemplate ($body.Properties | Select-Object * -ExcludeProperty name)
            if ($compareResult) {
                Write-Output "Found Differences for rule: $($DisplayName)"
                Write-Output ($compareResult | Format-Table | Out-String)

                if ($PSCmdlet.ShouldProcess("Do you want to update profile: $($body.Properties.DisplayName)")) {
                    try {
                        $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -EnumsAsStrings)
                        Write-Output "Successfully updated rule: $($DisplayName) with status: $($result.StatusDescription)"
                        Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
                    }
                    catch {
                        $errorReturn = $_
                        $errorResult = ($errorReturn | ConvertFrom-Json ).error
                        Write-Verbose $_.Exception.Message
                        Write-Error "Unable to invoke webrequest with error message: $($errorResult.message)" -ErrorAction Stop
                    }
                }
                else {
                    Write-Output "No change have been made for rule $($DisplayName), deployment aborted"
                }
            }
            else {
                Write-Output "Rule $($DisplayName) is compliance, nothing to do"
                Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
            }
        }
        else {
            Write-Verbose "Creating new rule: $($DisplayName)"

            try {
                $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -EnumsAsStrings)
                Write-Output "Successfully created rule: $($DisplayName) with status: $($result.StatusDescription)"
                Write-Output ($body.Properties | Format-List | Format-Table | Out-String)
            }
            catch {
                $errorReturn = $_
                $errorResult = ($errorReturn | ConvertFrom-Json ).error
                Write-Verbose $_.Exception.Message
                Write-Error "Unable to invoke webrequest with error message: $($errorResult.message)" -ErrorAction Stop
            }
        }
    }
}

function New-AzSentinelHuntingRule {
    <#
    .SYNOPSIS
    Create Azure Sentinal Hunting Rule
    .DESCRIPTION
    Use this function to creates Azure Sentinal Hunting rule
    .PARAMETER SubscriptionId
    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
    .PARAMETER WorkspaceName
    Enter the Workspace name
    .PARAMETER DisplayName
    Enter the Display name for the hunting rule
    .PARAMETER Description
    Enter the Description for the hunting rule
    .PARAMETER Tactics
    Enter the Tactics, valid values: "InitialAccess", "Persistence", "Execution", "PrivilegeEscalation", "DefenseEvasion", "CredentialAccess", "LateralMovement", "Discovery", "Collection", "Exfiltration", "CommandAndControl", "Impact"
    .PARAMETER Query
    Enter the querry in KQL format
    .EXAMPLE
    New-AzSentinelHuntingRule -WorkspaceName "" -DisplayName "" -Description "" -Tactics "","" -Query ''
    In this example you create a new hunting rule by defining the rule properties from CMDLET
    #>


    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]
    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [ValidateNotNullOrEmpty()]
        [string] $SubscriptionId,

        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [string] $WorkspaceName,

        [Parameter(Mandatory)]
        [string] $DisplayName,

        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [string] $Query,

        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [string] $Description,

        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [Tactics[]] $Tactics

    )

    begin {
        precheck
    }
    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
                }
            }
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName
                }
            }
        }
        Get-LogAnalyticWorkspace @arguments

        $item = @{ }
        $content = $null
        $body = @{ }
        $compareResult1 = $null
        $compareResult2 = $null
        $compareResult = $null

        Write-Verbose -Message "Creating new Hunting rule: $($DisplayName)"

        try {
            Write-Verbose -Message "Get hunting rule $DisplayName"
            $content = Get-AzSentinelHuntingRule @arguments -RuleName $DisplayName -WarningAction SilentlyContinue

            if ($content) {
                Write-Verbose -Message "Hunting rule $($DisplayName) exists in Azure Sentinel"

                $item | Add-Member -NotePropertyName name -NotePropertyValue $content.name -Force
                $item | Add-Member -NotePropertyName etag -NotePropertyValue $content.eTag -Force
                $item | Add-Member -NotePropertyName Id -NotePropertyValue $content.id -Force


                $uri = "$script:baseUri/savedSearches/$($content.name)?api-version=2017-04-26-preview"
            }
            else {
                Write-Verbose -Message "Hunting rule $($DisplayName) doesn't exists in Azure Sentinel"

                $guid = (New-Guid).Guid

                $item | Add-Member -NotePropertyName name -NotePropertyValue $guid -Force
                $item | Add-Member -NotePropertyName etag -NotePropertyValue $null -Force
                $item | Add-Member -NotePropertyName Id -NotePropertyValue "$script:Workspace/savedSearches/$guid" -Force

                $uri = "$script:baseUri/savedSearches/$($guid)?api-version=2017-04-26-preview"
            }
        }
        catch {
            $errorReturn = $_
            $errorResult = ($errorReturn | ConvertFrom-Json ).error
            Write-Verbose $_
            Write-Error "Unable to connect to APi to get Analytic rules with message: $($errorResult.message)" -ErrorAction Stop
        }

        [PSCustomObject]$body = @{
            "name"       = $item.name
            "eTag"       = $item.etag
            "id"         = $item.id
            "properties" = @{
                'Category'             = 'Hunting Queries'
                'DisplayName'          = $DisplayName
                'Query'                = $Query
                [pscustomobject]'Tags' = @(
                    @{
                        'Name'  = "description"
                        'Value' = $Description
                    },
                    @{
                        "Name"  = "tactics"
                        "Value" = $Tactics -join ','
                    },
                    @{
                        "Name"  = "createdBy"
                        "Value" = ""
                    },
                    @{
                        "Name"  = "createdTimeUtc"
                        "Value" = ""
                    }
                )
            }
        }

        #return $content
        if ($content) {
            $compareResult1 = Compare-Policy -ReferenceTemplate ($content | Select-Object * -ExcludeProperty lastModifiedUtc, alertRuleTemplateName, name, etag, id, Tags, Version) -DifferenceTemplate ($body.Properties | Select-Object * -ExcludeProperty name, Tags, Version)
            $compareResult2 = Compare-Policy -ReferenceTemplate ($content.Tags | Where-Object { $_.name -eq "tactics" }) -DifferenceTemplate ($body.Properties.Tags | Where-Object { $_.name -eq "tactics" })
            $compareResult = [PSCustomObject]$compareResult1 + [PSCustomObject]$compareResult2

            if ($compareResult) {
                Write-Output "Found Differences for hunting rule: $($DisplayName)"
                Write-Output ($compareResult | Format-Table | Out-String)

                if ($PSCmdlet.ShouldProcess("Do you want to update hunting rule: $($DisplayName)")) {
                    try {
                        Write-Output ($body.properties | Format-Table)

                        $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings)
                        Write-Output "Successfully updated hunting rule: $($DisplayName) with status: $($result.StatusDescription)"
                    }
                    catch {
                        $errorReturn = $_
                        $errorResult = ($errorReturn | ConvertFrom-Json).error
                        Write-Verbose $_.Exception.Message
                        Write-Error "Unable to invoke webrequest with error message: $($errorResult.message)" -ErrorAction Stop
                    }
                }
                else {
                    Write-Output "No change have been made for rule $($DisplayName), deployment aborted"
                }
            }
            else {
                Write-Output "Hunting rule $($DisplayName) is compliance, nothing to do"
                Write-Output ($body.properties | Format-Table)
            }
        }
        else {
            Write-Verbose "Creating new hunting rule: $($DisplayName)"

            try {

                $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json -Depth 10 -EnumsAsStrings)
                Write-Output "Successfully created hunting rule: $($DisplayName) with status: $($result.StatusDescription)"
                Write-Output ($body.properties | Format-Table)
            }
            catch {
                $errorReturn = $_
                $errorResult = ($errorReturn | ConvertFrom-Json ).error
                Write-Verbose $_.Exception.Message
                Write-Error "Unable to invoke webrequest with error message: $($errorResult.message)" -ErrorAction Stop
            }
        }
    }
}

function Remove-AzSentinelAlertRule {
    <#
    .SYNOPSIS
    Remove Azure Sentinal Alert Rules
    .DESCRIPTION
    With this function you can remove Azure Sentinal Alert rules from Powershell, if you don't provide andy Rule name all rules will be removed
    .PARAMETER SubscriptionId
    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
    .PARAMETER WorkspaceName
    Enter the Workspace name
    .PARAMETER RuleName
    Enter the name of the rule that you wnat to remove
    .EXAMPLE
    Remove-AzSentinelAlertRule -WorkspaceName "" -RuleName ""
    In this example the defined rule will be removed from Azure Sentinel
    .EXAMPLE
    Remove-AzSentinelAlertRule -WorkspaceName "" -RuleName "","", ""
    In this example you can define multiple rules that will be removed
    .EXAMPLE
    Remove-AzSentinelAlertRule -WorkspaceName ""
    In this example no rule is specified, all rules will be removed one by one. For each rule you need to confirm the action
    #>


    [cmdletbinding(SupportsShouldProcess, ConfirmImpact = 'High')]
    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [ValidateNotNullOrEmpty()]
        [string] $SubscriptionId,

        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [string]$WorkspaceName,

        [Parameter(Mandatory = $false,
            ValueFromPipeline)]
        [ValidateNotNullOrEmpty()]
        [string[]]$RuleName
    )

    begin {
        precheck
    }

    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
                }
            }
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName
                }
            }
        }
        Get-LogAnalyticWorkspace @arguments

        if ($RuleName) {
            # remove defined rules
            foreach ($rule in $RuleName) {
                $item = Get-AzSentinelAlertRule @arguments -RuleName $rule -WarningAction SilentlyContinue
                if ($item) {
                    $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($item.name)?api-version=2019-01-01-preview"

                    if ($PSCmdlet.ShouldProcess("Do you want to remove: $rule")) {
                        Write-Output $item
                        $result = Invoke-WebRequest -Uri $uri -Method DELETE -Headers $script:authHeader
                        Write-Output "Successfully removed rule: $($rule) with status: $($result.StatusDescription)"
                    }
                    else {
                        Write-Output "No change have been made for rule: $rule"
                    }
                }
                else {
                    Write-Warning "$rule not found in $WorkspaceName"
                }
            }
        }
        else {
            Write-Warning "No Rule selected, All rules will be removed one by one!"
            Get-AzSentinelAlertRule @arguments | ForEach-Object {
                $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules/$($_.name)?api-version=2019-01-01-preview"

                if ($PSCmdlet.ShouldProcess("Do you want to remove: $($_.displayName)")) {
                    $result = Invoke-WebRequest -Uri $uri -Method DELETE -Headers $script:authHeader
                    Write-Output "Successfully removed rule: $($_.displayName) with status: $($result.StatusDescription)"
                }
                else {
                    Write-Output "No change have been made for rule: $($_.displayName)"
                }
            }
        }
    }
}

function Remove-AzSentinelHuntingRule {
    <#
    .SYNOPSIS
    Remove Azure Sentinal Hunting Rules
    .DESCRIPTION
    With this function you can remove Azure Sentinal hunting rules from Powershell, if you don't provide andy Hunting rule name all rules will be removed
    .PARAMETER SubscriptionId
    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
    .PARAMETER WorkspaceName
    Enter the Workspace name
    .PARAMETER RuleName
    Enter the name of the rule that you wnat to remove
    .EXAMPLE
    Remove-AzSentinelHuntingRule -WorkspaceName "" -RuleName ""
    In this example the defined hunting rule will be removed from Azure Sentinel
    .EXAMPLE
    Remove-AzSentinelHuntingRule -WorkspaceName "" -RuleName "","", ""
    In this example you can define multiple hunting rules that will be removed
    .EXAMPLE
    Remove-AzSentinelHuntingRule -WorkspaceName ""
    In this example no hunting rule is specified, all hunting rules will be removed one by one. For each rule you need to confirm the action
    #>


    [cmdletbinding(SupportsShouldProcess, ConfirmImpact = 'High')]
    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [ValidateNotNullOrEmpty()]
        [string] $SubscriptionId,

        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [string]$WorkspaceName,

        [Parameter(Mandatory = $false,
            ValueFromPipeline)]
        [ValidateNotNullOrEmpty()]
        [string[]]$RuleName
    )

    begin {
        precheck
    }

    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
                }
            }
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName
                }
            }
        }
        Get-LogAnalyticWorkspace @arguments

        if ($RuleName) {
            # remove defined rules
            foreach ($rule in $RuleName) {
                $item = Get-AzSentinelHuntingRule @arguments -RuleName $rule
                if ($item) {
                    $uri = "$script:baseUri/savedSearches/$($item.name)?api-version=2017-04-26-preview"

                    if ($PSCmdlet.ShouldProcess("Do you want to remove: $rule")) {
                        Write-Output $item
                        $result = Invoke-WebRequest -Uri $uri -Method DELETE -Headers $script:authHeader
                        Write-Output "Successfully removed hunting rule: $($rule) with status: $($result.StatusDescription)"
                    }
                    else {
                        Write-Output "No change have been made for hunting rule: $rule"
                    }
                }
                else {
                    Write-Warning "Hunting rule $rule not found in $WorkspaceName"
                }
            }
        }
        else {
            Write-Warning "No hunting rule selected, All hunting rules will be removed one by one!"
            Get-AzSentinelHuntingRule @arguments | ForEach-Object {
                $uri = "$script:baseUri/savedSearches/$($_.name)?api-version=2017-04-26-preview"
                if ($PSCmdlet.ShouldProcess("Do you want to remove: $($_.displayName)")) {
                    $result = Invoke-WebRequest -Uri $uri -Method DELETE -Headers $script:authHeader
                    Write-Output "Successfully removed hunting rule: $($_.displayName) with status: $($result.StatusDescription)"
                }
                else {
                    Write-Output "No change have been made for hunting rule: $($_.displayName)"
                }
            }
        }
    }
}

function Set-AzSentinel {
    <#
    .SYNOPSIS
    Enable Azure Sentinel
    .DESCRIPTION
    This function enables Azure Sentinel on a existing Workspace
    .PARAMETER SubscriptionId
    Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
    .PARAMETER WorkspaceName
    Enter the Workspace name
    .EXAMPLE
    Set-AzSentinel -WorkspaceName ""
    This example will enable Azure Sentinel for the provided workspace
    #>


    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]
    param (
        [Parameter(Mandatory = $false,
            ParameterSetName = "Sub")]
        [ValidateNotNullOrEmpty()]
        [string] $SubscriptionId,

        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [string]$WorkspaceName

    )
    begin {
        precheck
    }

    process {
        switch ($PsCmdlet.ParameterSetName) {
            Sub {
                $arguments = @{
                    WorkspaceName  = $WorkspaceName
                    SubscriptionId = $SubscriptionId
                }
            }
            default {
                $arguments = @{
                    WorkspaceName = $WorkspaceName
                }
            }
        }
        $workspaceResult = Get-LogAnalyticWorkspace @arguments -FullObject

        # Variables
        $errorResult = ''

        Write-Output $Script:workspace

        if ($workspaceResult.properties.provisioningState -eq 'Succeeded') {
            $body = @{
                'id'         = ''
                'etag'       = ''
                'name'       = ''
                'type'       = ''
                'location'   = $workspaceResult.location
                'properties' = @{
                    'workspaceResourceId' = $workspaceResult.id
                }
                'plan'       = @{
                    'name'          = 'SecurityInsights($workspace)'
                    'publisher'     = 'Microsoft'
                    'product'       = 'OMSGallery/SecurityInsights'
                    'promotionCode' = ''
                }
            }
            $uri = "$(($Script:baseUri).Split('microsoft.operationalinsights')[0])Microsoft.OperationsManagement/solutions/SecurityInsights($WorkspaceName)?api-version=2015-11-01-preview"

            try {
                $solutionResult = Invoke-webrequest -Uri $uri -Method Get -Headers $script:authHeader
                Write-Output "Azure Sentinel is already enabled on $WorkspaceName and status is: $($solutionResult.StatusDescription)"
            }
            catch {
                $errorReturn = $_
                $errorResult = ($errorReturn | ConvertFrom-Json ).error
                if ($errorResult.Code -eq 'ResourceNotFound') {
                    Write-Output "Azure Sentinetal is not enabled on workspace: $($WorkspaceName)"
                    try {
                        if ($PSCmdlet.ShouldProcess("Do you want to enable Sentinel for Workspace: $workspace")) {
                            $result = Invoke-webrequest -Uri $uri -Method Put -Headers $script:authHeader -Body ($body | ConvertTo-Json)
                            Write-Output "Successfully enabled Sentinel on workspae: $WorkspaceName"
                            return $result
                        }
                        else {
                            Write-Output "No change have been made for rule $WorkspaceName, deployment aborted"
                        }
                    }
                    catch {
                        $errorReturn = $_
                        $errorResult = ($errorReturn | ConvertFrom-Json ).error
                        Write-Error "Unable to enable Sentinel on $WorkspaceName with error message: $($errorResult.message)"
                    }

                }
                else {
                    Write-Verbose $_
                    Write-Error "Unable to invoke webrequest with error message: $($errorResult.message)" -ErrorAction Stop
                }
            }

        }
        else {
            Write-Error "Workspace $WorkspaceName is currently in $($workspaceResult.properties.provisioningState) status, setup canceled"
        }
    }
}